customize Yii2 RBAC system

Yii 2.0 General Discussions
1

I am using Yii2 RBAC DbManager and it works quite well. Though, it works for simple cases, I have a complex requirements that requires customizing default rbac setup and would love to hear your opinions

I am building a school management system. The requirement is each school would need its own RBAC

  • same permissions name (such as "manage course" , "manage student")

  • roles are tied to each school specifically

    ** a school can not see other school roles (e.g. when schoolA goes to Role Management page, only Role belongs to school A show)

    ** schools can use the same name (such as , school A has "Administrator" as a role, school B has "Administrator")

Obviously, the requirements ask for new columns in default rbac tables. I dont know what to do

  • Should I extend the dbmanager ? Is it too difficult to do ?

  • Should I use ActiveRecord (ignore authmanager methods) to handle roles/permission ?

2

I would say extend the dbmanager, it might come in handy in future if you are add more features later on

3

Do you even need to extend it ?

As you described it, it is fairly standard RBAC.

You obviously need a rule called "can administrate own school".

There are a lot of RBAC extensions that can help make the process of creating a RBAC easier, but I don’t think you need to extend the RBAC dbmanager at all. :)

4

I agree with @jacmoe.

Try to reconsider your RBAC hierarchy, especially the role that you have named “Administrator”. Is it really the administrator of your whole app? Or, in other words, does a school really need “Administrator”? No, I don’t think so. A school only needs "SchoolAdmin"s who have the right to administrate their own school.

5

what I understood from the post he is asking for different roles for each school possibly same name. but if you can do reverse where an administrator can have access to multiple schools then you don’t need to extend the dbmanager.

6

No, that’s not the case.

The ‘Administrator’ role needs a ‘can view and manage’ rule.

It should check against school_id.

What he wants is a classic RBAC, if you forgive me my pun: it is a school example of RBAC, in fact :)

EDIT:

Roles, Rules and Permissions - that’s 3 things - it’s easy to get confused.

Take a blog posting example, where there is a super admin who can do everything and blog writers who can only edit their own posts.

7

Hi guys,

Thank you for all the feedbacks. I would like to give more details so we are all in the same understanding.

I have a set of permission name: "manage course", "manage employee", "manage student". These permissions are fixed and can not be changed.

1 school can have many users. 1 user can be assigned to 1 role. 1 role can have 1 or more permissions.

For example:

Role = "School Administrator" has "manage course", "manage employee", "manage student" permissions

Role = "Teacher" has "manage course" and "manage student" permissions

When a school is created, an "admin" type role is created and assigned to a user so he/she can start managing the school. The user can add new roles (e.g. Teacher) and assign "Teacher" role to other users. the school is free to create as many roles as they like.

The issue with current RBAC to the best of my knowledge are:

  1. school A user can view/update/delete school B roles and vice versa

  2. RBAC/DbManager can not distinguish role with same name (e.g. school A create "Teacher" role and school B also has "Teacher" role, I am having issue when I try to update "Teacher" role, which "Teacher" role ? school A or school B? )

My thoughts are adding school_id column to

  • auth_assignment

  • auth_item

  • auth_item_child

and have to extend DbManager.

I wonder if there are easier solutions.

8

That looks like very basic Yii 2 RBAC, to be honest.

Make sure that you understand how RBAC works:

Yii 2.0 Part 8 - Role-based Access Control (rbac)

9

Create the permissions first.

Then, you start creating the first role, that has the least amount of permissions.

You add (assign) one or more permissions to that role.

The second role inherits the first role and has additional permissions.

For instance, your Administrator inherits from Teacher.

And, finally, you need a RBAC rule that determines if a particular Teacher / Administrator has the permissions to do whatever they need to do.

You just check if the ID of their associated School matches. :)

10

As a starting point, you can add the permission "manageOwnSchool" to the Administrator and the permission "useOwnSchool" to the Teacher - call them whatever you want - and attach a Rule to each of them.

Then add the rest of the permissions as children to each of them.

It would probably be a good idea to add a SuperAdministrator that is able to administrate everything.

11

Hi Jacmoe,

Thanks for your replies. I realize that I have to implement rule for some permissions so that school A personnel can not update school B data.

The setup is best described with yii2 advance template.

Backend app - as the owner of the software, I am SuperAdministrator , i manage school account from here.

Frontend app - this is where a school does its day to day work. The work flow will be like this

For school #1

  1. School #1 sign up

2 A school account with "jacmoe" as user with Adminsitrator is created so the user can start add more users to his school

  1. "jacmoe" create a new role "Teacher" and assign it to other users in his school

Now, school #2 also want to use this cool system and sign up

  1. School #2 sign up

  2. A school account with "nguyendh" as user with Administrator is created

  3. "nguyendh" also create a new role "Teacher" (same name as jacmoe school" and assign it to other users in his school

How do I handle the situation when more than 1 school use the same role name ?

12

Hi @nguyendh,

I see @jacmoe wasn’t able to answer your question. I think the issue is that the role name is the primary key on the auth_item table. Did you ever come up with a solution for this? If so, would you mind sharing it with me please? I am in the same situation with my current project.

Thanks,

Ben

13

Hi Ben,

No, it was @nguyendh that failed to understand what @jacmoe had said.

In RBAC system, it is not a common practice to permit the end users ("jacmoe" and "nguyendh") a right to "create" RBAC items like roles and permissions. It is, IMO, a bad idea. The end users should only be granted to assign or revoke pre-defined roles, even if they have administrative roles.